CIS Microsoft Windows 10 Enterprise Release 1909 Benchmark
2.3.6.5 (L1) Ensure 'Domain member: Maximum machine account password age' is set to '30 or fewer days, but not 0' (Scored)
ProfileApplicability:
Level 1 (L1) - Corporate/Enterprise Environment (general use)
Description:
This policy setting determines the maximum allowable age for a computer account password. By default, domain members automatically change their domain passwords every 30 days. If you increase this interval significantly so that the computers no longer change their passwords, an attacker would have more time to undertake a brute force attack against one of the computer accounts.
The recommended state for this setting is: 30 or fewer days, but not 0 .
Note: A value of 0 does not conform to the benchmark as it disables maximum password age.
Note #2: Some problems can occur as a result of machine account password expiration, particularly if a machine is reverted to a previous point-in-time state, as is common with virtual machines. Depending on how far back the reversion is, the older machine account password stored on the machine may no longer be recognized by the domain controllers, and therefore the computer loses its domain trust. This can also disrupt non-persistent VDI implementations, and devices with write filters that disallow permanent changes to the OS volume. Some organizations may choose to exempt themselves from this recommendation and disable machine account password expiration for these situations.
Rationale:
In Active Directory-based domains, each computer has an account and password just like every user. By default, the domain members automatically change their domain password every 30 days. If you increase this interval significantly, or set it to 0 so that the computers no longer change their passwords, an attacker will have more time to undertake a brute force attack to guess the password of one or more computer accounts.
Audit:
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed.
181 | P a g e
Made with FlippingBook - Online magazine maker